Basic VPN to Cisco ASA without authentication

Posted on 2009-05-06
Last Modified: 2012-05-06
Could anyone help me? I'm vaguely familiar (but certainly no expert) with the PIX, but this is my first ASA, and it's giving me grief! I've got most of it working, but I'm stuck on the VPN. We use VPN to PIX to access small sites without further authentication -- just group name and password and connect. (I know it's not good for security, but for what we do it works well, and often we have no other option anyway.)
Anyway, I can't get it to work on the ASA, but could really do with it, urgently!
Below are what I think are the relevant code fragments...
Could anyone please point me in the right direction... Please don't say it isn't possible any more!!
PIX code that seems to do the trick; comments in brackets are the bits the ASA turned its nose up at:-:
crypto ipsec transform-set transet1 esp-des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup lestac address-pool vpnpool (vpngroup depricated)
vpngroup lestac password secret (ditto)
vpngroup lestac dns-server yserver1 (ditto)
vpngroup lestac wins-server yserver1 (ditto)
vpngroup lestac default-domain harlow (ditto)
vpngroup lestac idle-time 1800 (ditto)
ASA "bits" I tried to use to replace the "depricated" PIX bits to get the same effect:-
tunnel-group lestac type ipsec-ra
tunnel-group lestac general-attributes
address-pool vpnpool
tunnel-group lestac ipsec-attributes
pre-shared-key secret
default-group-policy lestac
group-policy lestac attribues
wins-server value
dns-server value
default-domain value harlow.local
vpn-idle-timeout 1800
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec

Open in new window

Question by:seworby
  • 2
  • 2
LVL 10

Expert Comment

ID: 24319983
For an ASA remote access VPN, you need pieces, three of which can be named the same: a group-policy, a tunnel-group, and a username. Here's a very basic example for vendor access:

# Create an ACL for vendor access to any destination
access-list vendor_acl extended permit ip any any

# Create a group policy
group-policy vendor internal

# Define the acl this policy will use
group-policy vendor attributes
  vpn-filter value vendor_acl

# Create the user
username vendor password *****

# Define the group policy and acl to control this user
username vendor attributes
  vpn-group-policy vendor
  vpn-filter value vendor_acl

# Define a tunnel group - type for remote access is 'ipsec-ra'
tunnel-group vendor type ipsec-ra

# Define the group characteristics
tunnel-group vendor general-attributes
  default-group-policy vendor

# Define the group password
tunnel-group vendor ipsec-attributes
  pre-shared-key *****

There are lots of other keywords you can include; for example, you can add 'vpn-idle-timeout 15' to the group-policy section and have the VPN logout after 15 minutes of idle time, you can add 'vpn-framed-ip-address' under the username attributes to assign an IP address to that user, and so on. But this framework will get you started... for more info, check out this link:

LVL 10

Expert Comment

ID: 24319997
Sorry about the typo... the first line should read "you need four pieces..."  - the three names and an ACL.

Author Comment

ID: 24322642
Thanks for your help on this. As you can see from my code, I've got most of this in place. I've got the access_list bits in place, too, but didn't quote them because it's just not getting that far. I can't get past the Cisco client asking for username and password. The only bit I haven't got is the vpn_filter value bit, but I don't think it's going to be that causing my problem?
Having spent some time reading up last night, I'm wondering if it's my AAA I've got wrong. I'll have access to the ASA in a couple of hours and I'll take another look.
I'll let you know how I get on.

Accepted Solution

seworby earned 0 total points
ID: 24325599
I have it working. Whether it's the right way or not is a different matter...
The key to it is to set up a user so it has a user in the database to allow the secondary authentication to authenticate against. It seems this isn't neceesary on the PIX but is on the ASA.
The vpn_filter value turned out in the end to be a bit of a red herring, as having it on prevent traffic from passing once connected.
username xzy password xyz123 privilege 2


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Factory Reset of Juniper SSG20 2 42
Password recovery 2960S 4 35
CISCO wireless controller & AP 2 38
Sonicwall VPN and DHCP Setup 10 62
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question